On Thu, Jan 27, 2011 at 2:03 AM, Indunil Jayasooriya indunil75@gmail.com wrote:
On Thu, Jan 27, 2011 at 12:15 PM, Always Learning centos@g7.u22.net wrote:
Hallo,
I wanted to avoid typing-in my password every occasion I remotely logged-on to a server.
you expect Passwordless SSH. If so,
On your PC
# ssh-keygen -t rsa ( passphrase should be empty )
NO!!! NO!!! NO!!! NO!!!
I'm sorry, but this is a far too comon and very, very bad practice. You may as well tape a Post-It note with your password on it under your keyboard, because anyone who can get this un-passphrase protected key will be able to automatically log in as you. The normal approach is to investigate how to use ssh-agent to store your unlocked key in an active session, not use a passphrase-less key. The "keychain" utiliti is very handy for just this purpose, and it's available in the RPMforge repositories for RHEL 5 and CentOS 5.
Far too many people say "but you have to trust your own machine!!!" and leave these passphrase-less keys lying around, and they're a popular vulnerability for crackers to steal if they can gain *any* access to your systems. It's particularly bad in environments that use NFS and allow local hosts to be run by local users: any such local admin can then "su" to become other users and access their private keys.
Also, there's a stack of reasons that DSA is preferred to RSA for SSH keys these days. When you generate your private keys, use "ssh-keygen -t dsa", not rsa.
Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again:
then,
# cd /root/.ssh/
Pls scp id_rsa.pub to the Server
# scp id_rsa.pub root@server:/root/.ssh/authorized_keys
Wrong again. Never use public key access for root accounts, it simply compounds the security risks. Passphrase protected SSH keys can be used, reasonably, for account access on other hosts, but should be avoided for root access. If you *HAVE* to use an SSH key for root, for example for "rsync" based backup operations, use rssh to restrict its operations or designate a permitted command associated with that key in the target's authorized_keys.
then, finally ssh to the server from your PC. it would be passwordless. pls see below
Sadly, this will *work*, but so does tying your car keys to your car door so you don't lose them. It's a security issue.
Please, read the manual pages on "ssh-agent" which was designed and built into SSH deployments for just such use.